How Secure Is Your Network?
from Summer 2000
by Randy Myers
A vicious cyber-phobia is creeping into corporate boardrooms: the realization that some cutthroat outsider could hack into the company`s computer network and-in a keystroke-knock your business on its back.
For directors too preoccupied or lackadaisical to worry about computer security before, the alarms have been going off all year. During one harrowing three-day stretch in February, hackers were able to blast through the defenses of seven popular websites, including well-known giants like Yahoo!, eBay, and Amazon.com. One hacker who successfully breached CNN.com was allegedly a 15-year-old from a Montreal suburb with the cyber-alias Mafiaboy.
Are directors liable if a marauder sneaks into their company`s computer network and damages the business? Could be (see e-fraud box), although insurance companies are scrambling to keep up with the changes in computer technology and the liabilities involved. But there`s one area where directors are indeed vulnerable: the bottom line. "Corporate boards are at risk if they fail to take steps to prevent computer attacks that create shareholder losses," says J. Roger Schermerhorn, senior manager and director for network security in the computer risk management practice of Arthur Andersen, the accounting firm.
Most of the February e-muggings were so-called "denial-of-service" attacks. To mount such attacks, hackers employ a technique called "spoofing," which is no joke. Using false addresses, they break into insecure computer networks via the Internet and then use those systems to flood a target site`s computers with bogus sequences of data. In the February attacks, the sudden wave of information overwhelmed the target computers, preventing access by legitimate users for a couple of hours.
A Boston Consulting Group analyst pegged the total damage of the February events at $1.2 billion, which to these Internet behemoths is not much more than chump change, so the companies shrugged off the attacks. But they were embarrassed and badly stung. Other victims looked beyond the actual damage they had suffered and considered how bad it might have been. "Who`s to know what would happen if we were to go down for half a day or longer?" said Martha Papalia, spokesperson for ZDNet, a website for technology enthusiasts.
For the hundreds of other companies looking on in horror, the implications of the hacking blitz were obvious and ominous. After all, if tech-savvy firms like eBay and Yahoo! could be so vulnerable, anybody else`s network must be a sitting duck. As it turns out, such fears are all too justified. According to the results of a nationwide survey released early this year by the FBI and the Computer Security Institute in San Francisco:
- 90% of the 643 corporations and public agencies surveyed detected computer security breaches during1999;
- 70% reported attacks considered serious, including theft of proprietary information, financial fraud, or sabotage of data;
- 25% of the companies surveyed revealed that outsiders had penetrated their computer systems-with the Internet serving most frequently as the break-and-enter point;
- A whopping 71% disclosed that insiders had gained access to restricted areas;
- 273 of the surveyed companies were willing or able to tally cost estimates for the electronic mayhem, which came to $266 million. Factoring in those companies unable or too squeamish to report losses, the nationwide total could be close to $1 billion.
"Computer security has become a huge issue," says Tom Beach, senior vice president for risk management solutions at Baltimore-based Fidelity & Deposit Companies of Maryland. "The Internet was not invented as a highway for commerce, it was a conduit for the open flow of information. As a result, the controls are not there for commercial transactions. Those attacks in February were attacks on companies on the cutting edge of technology that we have to assume had all of the system controls they could possibly have-and look what happened."
To be sure, the executive team is responsible for directly managing business risks, including computer security. But for directors, it`s no longer enough to ask management whether the company`s computer networks are secure and blithely take yes for an answer.
To get a bead on computer security, directors first have to know what they should be worrying about. J. Russell Gates, global director of technology risk consulting for Arthur Andersen, identifies major risks in three areas: performance, availability, and integrity.
Performance in this case means the speed and reliability of the computer network. Because so many businesses today depend on e-connections with vendors, trading partners, and customers, any event that affects network performance is a critical threat. So, too, is anything that disrupts the network`s availability, such as the attacks that hamstrung Yahoo! and others. Threats to the integrity of the network include acts that would compromise the reliability or confidentiality of intellectual property available on the network, such as theft or destruction of data.
"The first question the board should be asking management is, `Given what we`re using technology for today, how have we assessed the risk to our business as a result of any failure of that technology?`" says Gates. "I recommend starting with the business implications because they will be different from company to company, even when you`re dealing with the same threat. A denial-of-service attack means a lot more to eBay, for example, than it does to somebody that doesn`t have an e-commerce site."
Once you`ve identified the threats to your business, it`s easier to develop a defense. But first you`re going to need a coherent plan. And while many people tend to think immediately of a "firewall" designed to keep intruders out, that kind of software is often more a security blanket than an impenetrable barrier.
"Firewall software helps to solve the problem, but we believe it is only about one-third or one-half of the solution," says Gates. "Security starts with having policies for the deployment of the tools. Who manages the tools? Who is responsible for them? What do they actually do? How do they make decisions? When I install a firewall, for example, I have to make a host of decisions about what it does and doesn`t do, about what kinds of services I`m going to allow in and out of the network, about which sites I`ll lock up, about how I`m going to identify the source of traffic coming into the network. Just saying `I have a firewall, therefore I`m secure,` is like saying, `I have a computer, therefore I`m an e-business.`"
"Security is no longer about throwing product after disparate product at a problem," agrees George Kurtz, chief executive officer of Foundstone, a computer security consulting firm in Irvine, California, and coauthor with Stuart McClure of Hacking Exposed: Network Security Secrets & Solutions (Osborne/McGraw-Hill, 1999). As Kurtz explains, security products can be good at spotting and fixing isolated problems, but they`re not so good at recognizing how hackers exploit the vulnerabilities in a computer network that allows them access in the first place. Software alone can`t prevent a person from choosing a password that`s easy to guess or ensure that employees stick to a company`s security rules. Nor can it prevent a recipient from opening e-mail that carries a devastating virus such as the notorious "Love Bug" that swept across the world last spring, closing some e-mail systems for days and wiping out multimedia files around the world. Among Love Bug`s victims: Ford Motor, the Pentagon, and the British Parliament.
Software security experts agree that companies should take a minimum number of steps to establish basic protection. These include setting up a clear policy stating security practices and who`s responsible for them and installing encryption software to scramble sensitive data. (For more, see box at left.)
The cost of these measures can vary wildly-from hundreds of dollars to hundreds of thousands of dollars, depending upon the size, complexity, and reach of the company`s computer network. A typical "penetration test" by an outside consultant can run from $25,000 to $100,000, according to Gates.
Some tests can be even pricier. NEC USA, a Texas-based holding company for various U.S. subsidiaries of computer and telecom giant NEC Corp. of Japan, has received bids on such tests running as high as $500,000, according to Rocky Johnson, one of its senior networking analysts. Of course, NEC and its affiliates have a gargantuan computer network for 150,000 employees around the globe, meaning that a test attack on the system would have to be extraordinarily wide ranging. Because of the steep price of the bids, Johnson says NEC USA chooses to do its own penetration tests. But he estimates that the company still spends about $2 million a year on computer security, including salaries for four people plus equipment and software. Johnson reminds directors that whatever is spent on hardware and software will only be a fraction of the costs for personnel to implement and audit a security policy.
For small companies, the technology budget is likely to be leaner and may not include money for a security specialist like Johnson, much less a sophisticated test to probe the network`s defenses. That`s why companies are springing up to provide outside solutions to computer security. These include SecureWorks of Atlanta, a 1999 start-up that already has more than 600 clients, and Enstar of Irving, Texas, which began selling security products in 1997 but is now rolling out a comprehensive, managed network security service.
One of SecureWorks` customers is Vested Technologies, a computer consulting firm in Connecticut that caters to small and mid-size law firms throughout New England. President Mark Bellenger blanched when he was first told it would cost the company $20,000 to $30,000 just to have a firewall installed. Outsourcing, he says, provides a much more economical solution.
Bellenger wouldn`t disclose his security costs, but SecureWorks CEO Joan Wilbanks says her company provides clients with the necessary hardware and software for firewall protection, intrusion detection, and monitoring services for an upfront cost of about $20 per user. That`s a bargain compared to the $200 per user she estimates a company would typically pay to buy the necessary hardware and software and then to hire a consultant to install it. SecureWorks then charges a monthly fee ranging from $60 for up to nine users to $625 per month for 250 or more users.
So far, computer system marauders have not been able to inflict permanent damage. No crucial data-customer records, credit card information, internal financials, marketing plans, or other trade secrets-were stolen, destroyed, or corrupted in the attacks earlier this year. No nuclear missiles were launched. Papalia says the ZDNet website actually saw an increase in traffic around the time of the attacks from people wanting to learn more about what was happening-enough to offset the normal traffic the company lost during the two-and-a-half hours its e-mail was clogged. In other words, ZDNet was able to deliver the expected number of viewer "impressions" that it had promised its advertisers.
The pain of crashing for only a few hours is relative, of course. While an online shopper hunting down the latest John Updike novel may not be terribly inconvenienced by the delay, an investor anxious to sell stock in a company that just reported weak earnings might not feel so charitable if she can`t reach her online broker. In fact, one of the companies attacked in February was E-Trade Group, though it describes the damage it suffered as minimal.
Other attacks have been far more serious, measured by immediate and perceived future damage. Last December, a Russian hacker reported he had stolen 300,000 credit card files, including card numbers, from the website of online music retailer CD Universe, a subsidiary of eUniverse in Wallingford, Connecticut. The hacker, who called himself Maxim, threatened to make the information public unless he was paid a $100,000 ransom. When CD Universe refused, he made good on his threat and began posting the credit card information on the Web. Maxim is still at large, by the way.
In the wake of this blackmail, eUniverse hired an outside security firm to review its technology systems. The company also worked with credit card companies to limit losses associated with the theft of the data. In addition, eUniverse contacted individual customers and issued $5 gift certificates to make up for the inconvenience.
One London woman reported thousands of dollars of merchandise purchased in Paris charged to her account. Her credit card company removed the charges.
More recently, Moore Publishing Co. of Wilmington, Delaware filed suit in federal court against the Washington, D.C. law firm of Steptoe & Johnson, alleging that one of the firm`s employees used a stolen e-mail identity to launch a "cyber-war" against Moore, an online retailer of public records. Rodney Sweetland III, Moore`s attorney, said the employee used the stolen identity to jam Moore`s website and to post defamatory messages about Moore and its president on an Internet newsgroup. Moore is seeking over $10 million in damages. Steptoe wouldn`t comment.
Unknown numbers of hackers-some professional criminals, others teenage thrill seekers, continue to subject corporate computer networks to an onslaught of automated pokes and probes ("port scans" in tech-speak) as they rummage for anything they can break into and exploit. NEC USA`s regular checks for intruders show "there`s always somebody probing us and looking for weaknesses," says Rocky Johnson. "It`s 24/7."
Is this the new look of industrial espionage? Harry DeMaio, president of Deloitte & Touche Security Services LLC in Deerfield, Illinois, thinks so: "If you`re willing to kill your competitors, you`re sure as heck not going to stop at hacking into their computers." NEC USA regularly notes hacking attempts "coming from the Middle East, China, and Russia," says Johnson. "That`s very common."
It seems inevitable that whatever the motive, a hacker-somewhere, sometime-will target your company. Protecting yourself is the price you have to pay to compete in the connected economy.
